Search code examples
symfonyfosrestbundlefosoauthserverbundle

Using Autorization header instead of access_token

Using rest client extensino when I try to execute:

http://api.domain.com/app_dev.php/api/1.0/resource/get?id=1

Request Header:

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
Authorization: Bearer %TOKEN%
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,ar;q=0.6
Cookie: __cfduid=db9759a3f1a39eb02d8daa62ef240c1031392572386844; _ga=GA1.2.972638156.1393664034; PHPSESSID=c15c8de4a1ee3a957274d4328448ff37

It returns 

{"error":"access_denied","error_description":"OAuth2 authentication required"}

But when I try to pass the access_token in the query string http://api.domain.com/app_dev.php/api/1.0/resource/get?id=1&access_token=%TOKEN%

I'm using Symfony2, FOSRestBundle & NelmioCorsBundle, and this is how my config.yml looks like

fos_rest:
    param_fetcher_listener: true
    body_listener: true
    format_listener: true
    view:
        view_response_listener: 'force'
        formats:
            xml: true
            json : true
        templating_formats:
            html: true
        force_redirects:
            html: true
        failed_validation: HTTP_BAD_REQUEST
        default_engine: php
    routing_loader:
        default_format: json

fos_oauth_server:
    db_driver: orm       
    client_class:        MyApp\ApiBundle\Entity\Client
    access_token_class:  MyApp\ApiBundle\Entity\AccessToken
    refresh_token_class: MyApp\ApiBundle\Entity\RefreshToken
    auth_code_class:     MyApp\ApiBundle\Entity\AuthCode  
    service:
        user_provider: fos_user.user_manager
        options:
          # Changing tokens and authcode lifetime
            access_token_lifetime: 300000000
            refresh_token_lifetime: 300000000
            auth_code_lifetime: 30

nelmio_cors:
    defaults:
        allow_credentials: false
        allow_origin: ['*']
        allow_headers: ['*']
        allow_methods: []
        expose_headers: []
        max_age: 0
        hosts: []
    paths:
        '^/api/':
            allow_origin: ['*']
            allow_headers: ['X-Custom-Auth']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
            max_age: 3600
        '^/':
            allow_origin: ['*']
            allow_headers: ['X-Custom-Auth']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
            max_age: 3600
            hosts: ['^api\.']
Solution

  • Had faced the same issue.

    Adding

    RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

    to the virtualhost under Virtualhost tag solved it

    Refer this : Similar issue